Wireshark · Wireshark-users: Re: [Wireshark-users] Capture Filter for Country

Wireshark-users: Re: [Wireshark-users] Capture Filter for Country

From: Gerald Combs <gerald@xxxxxxxxxxxxx>

Date: Mon, 30 Mar 2009 11:28:03 -0700

Ron Gallimore wrote:
> Is it possible to create a capture filter to exclude any US IP
> addresses?  I am using Wireshark 1.1.2 with the GeoIP database loaded.

You should be able to use something like

    ip and not ip.geoip.country == "United States"

or

    ip.geoip.country and not ip.geoip.country == "United States"

The first filter will match any non-US IP packet including those that GeoIP
doesn't have country information for such as RFC 1918 private addresses. The
second filter will exclude everything GeoIP doesn't have country information
for, as well as US traffic.

-- 
Join us for Sharkfest’09  |  Stanford University, June 15 – 18
http://www.cacetech.com/sharkfest.09/

Follow-Ups:
- Re: [Wireshark-users] Capture Filter for Country
  - From: Guy Harris

References:
- [Wireshark-users] Capture Filter for Country
  - From: Ron Gallimore

Prev by Date: Re: [Wireshark-users] Capture Filter for Country
Next by Date: Re: [Wireshark-users] Capture Filter for Country
Previous by thread: Re: [Wireshark-users] Capture Filter for Country
Next by thread: Re: [Wireshark-users] Capture Filter for Country
Index(es):
- Date
- Thread